← Library
sigmaDRL-1.1from SigmaHQ/sigma

CredUI.DLL Loaded By Uncommon Process

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

Quality
46
FP risk
Forks
0
Views
0
ATT&CK techniques
T1056.002
Rule sourcerules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml
title: CredUI.DLL Loaded By Uncommon Process
id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
status: test
description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
references:
    - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
    - https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
    - https://github.com/S12cybersecurity/RDPCredentialStealer
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2025-12-09
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1056.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        - ImageLoaded|endswith:
              - '\credui.dll'
              - '\wincredui.dll'
        - OriginalFileName:
              - 'credui.dll'
              - 'wincredui.dll'
    filter_main_generic:
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\SystemApps\'
    filter_main_full:
        Image:
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
            - 'C:\Windows\regedit.exe' # This FP is triggered for example when choosing the "Connect Network Registry" from the menu
    filter_optional_opera:
        Image|endswith: '\opera_autoupdate.exe'
    filter_optional_process_explorer:
        Image|endswith:
            - '\procexp64.exe'
            - '\procexp.exe'
    filter_optional_teams:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\Teams\'
        Image|endswith: '\Teams.exe'
    filter_optional_onedrive:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other legitimate processes loading those DLLs in your environment.
level: medium